Use Case 4: Full Device Protection
As shown in the previous use cases, administrators can add access control policies at the file system or directory level, thus controlling normal user access to the protected files. This does not, however, block users with Administrator privileges on the Windows machine from opening protected disks or volumes directly using Windows Administration tools such as DiskPart.
By opening the disks or volumes directly, Windows Administrators can read and write the clear text data from the device, bypassing any access controls. In order to prevent this, the Administrator can include a process set in the policy associated with the device-level GuardPoint. The process set includes a white list of the processes that are allowed to run on the protected device. Any process not in the white list will be blocked by CTE.
Thales recommends adding at least the following system processes to your process set. These system processes are used to create snapshots and perform other standard disk management tasks. You can add other processes to your white list as required.
-
Windows\System32\ntoskrnl.exe -
Windows\System32\svchost.exe -
Windows\System32\vds.exe -
Windows\System32\webm\WmiPrvSE.exe
For an additional layer of protection, you can create a signature set that contains the signature for each one of the processes that you want to add to your white list. If you include signature information in the process set, CTE uses that signature to verify the integrity of the process before it allows that process to access the protected data.
Signature sets are host-specific, as the signature for a particular process may be different on different hosts. Therefore, if you add a signature set to a policy, you should only assign that policy to devices on the host associated with the signature set.
